File carving Analyze of Foremost and Autopsy on external SSD mSATA using the Association of Chief Police Officer Method


Khoirul Anam Dahlan(1*); Anton Yudhana(2); Herman Yuliansyah(3);

(1) Universitas Ahmad Dahlan
(2) Universitas Ahmad Dahlan
(3) Universitas Ahmad Dahlan
(*) Corresponding Author

  

Abstract


File carving is a method for recovering files using software such as Foremost and Autopsy. The recovery is conducted for deleted files or formatted devices. Popularity Solid State Drive (SSD) has outperformed Hard Disk Drive (HDD) because SSD is faster, more efficient, and shock resistant. However, recovering SSD devices have a lower probability success rate than HDD because the security system often hampers files recovered on SSD. Based on previous research, the success rate of Security Digital High Capacity (SDHC) only achieved 50% more than SSD, whereas SSD can only return 85.7% of its success. Forensics Digital is a part of Forensics Knowledge for deliver valid digital evidence for law investigation. This research aims to increase the success rate of recovery files using two different software: Foremost and Autopsy. The research uses a 512GB Eaget brand SSD with a New Technology File System (NTFS). The file carving is also conducted using the Association of Chief Police Officers (ACPO) method. APCO has several stages: Planning, Capture, Analysis, and Presentation. The experiment results show that Autopsy software with deep recover mode returned 81 out of 88 files (92%), whereas Foremost software run on Debian to make sure no virus on device that could damage computer especially windows system. First attempt recovery can only return 46 out of 88 files (52%). The findings show that the Autopsy software has a higher successful return rate and can be used for evidence in law enforcement and digital forensics investigations.


Keywords


ACPO; Autopsy; Digital Forensics; Foremost; SSD

  
  

Full Text:

PDF
  

Article Metrics

Abstract view: 27 times
PDF view: 19 times 		     

Digital Object Identifier

doi  https://doi.org/10.33096/ilkom.v16i3.2360.283-295 		  

Cite

How to cite item

References


J. Liu, T. Wang, X. Chen, C. Li, Z. Shen, and Z. Zhang, “H2-RAID: Improving the reliability of SSD RAID with unified SSD and HDD hybrid architecture,” Microprocess. Microsyst., vol. 105, p. 104993, Mar. 2024, doi: 10.1016/J.MICPRO.2023.104993.

J. Ryu, D. K. Noh, and K. Kang, “FlashPage: A read cache for low-latency SSDs in web proxy servers,” Eng. Sci. Technol. an Int. J., vol. 51, no. January, p. 101639, 2024, doi: 10.1016/j.jestch.2024.101639.

D. Kim, J. Kim, K. Choi, H. Han, M. Ryu, and S. Kang, “Dynamic zone redistribution for key-value stores on zoned namespaces SSDs,” J. Syst. Archit., vol. 152, p. 103159, Jul. 2024, doi: 10.1016/J.SYSARC.2024.103159.

L. Luo, S. Li, Y. Lv, and L. Shi, “Performance and reliability optimization for high-density flash-based hybrid SSDs,” J. Syst. Archit., vol. 136, p. 102830, Mar. 2023, doi: 10.1016/J.SYSARC.2023.102830.

P. Santikellur, M. Buddhanoy, S. Sakib, B. Ray, and R. S. Chakraborty, “A shared page-aware machine learning assisted method for predicting and improving multi-level cell NAND flash memory life expectancy,” Microelectron. Reliab., vol. 140, p. 114867, Jan. 2023, doi: 10.1016/J.MICROREL.2022.114867.

X. Li, M. Kim, S. Lee, Z. Zhai, and J. Kim, “Program context-assisted address translation for high-capacity SSDs,” Futur. Gener. Comput. Syst., vol. 162, p. 107483, Jan. 2025, doi: 10.1016/J.FUTURE.2024.107483.

D. Brown et al., “Detecting firmware modification on solid state drives via current draw analysis,” Comput. Secur., vol. 102, p. 102149, Mar. 2021, doi: 10.1016/J.COSE.2020.102149.

A. Genç, H. Doğan, L. Turhan, A. Kocakuşak, and S. Helhel, “Investigation of the radiated emission of honeycomb structured aluminum foam/cellular heatsinks at 1–10 GHz,” Mater. Chem. Phys., vol. 324, p. 129614, Sep. 2024, doi: 10.1016/J.MATCHEMPHYS.2024.129614.

A. Chamkha, A. Veismoradi, M. Ghalambaz, and P. Talebizadehsardari, “Phase change heat transfer in an L-shape heatsink occupied with paraffin-copper metal foam,” Appl. Therm. Eng., vol. 177, p. 115493, Aug. 2020, doi: 10.1016/J.APPLTHERMALENG.2020.115493.

J. Gruber, C. J. Hargreaves, and F. C. Freiling, “Contamination of digital evidence: Understanding an underexposed risk,” Forensic Sci. Int. Digit. Investig., vol. 44, p. 301501, Mar. 2023, doi: 10.1016/J.FSIDI.2023.301501.

G. Horsman, “Digital evidence and the crime scene,” Sci. Justice, vol. 61, no. 6, pp. 761–770, Nov. 2021, doi: 10.1016/J.SCIJUS.2021.10.003.

P. Sokol, Ľ. Antoni, O. Krídlo, E. Marková, K. Kováčová, and S. Krajči, “Formal concept analysis approach to understand digital evidence relationships,” Int. J. Approx. Reason., vol. 159, p. 108940, Aug. 2023, doi: 10.1016/J.IJAR.2023.108940.

R. Stoykova, “The right to a fair trial as a conceptual framework for digital evidence rules in criminal investigations,” Comput. Law Secur. Rev., vol. 49, p. 105801, Jul. 2023, doi: 10.1016/J.CLSR.2023.105801.

N. I. Park et al., “Advanced forensic method to authenticate audio files from Tizen-based Samsung Galaxy Watches,” Forensic Sci. Int. Digit. Investig., vol. 48, p. 301697, Mar. 2024, doi: 10.1016/J.FSIDI.2024.301697.

C. M. Miller, “A survey of prosecutors and investigators using digital evidence: A starting point,” Forensic Sci. Int. Synerg., vol. 6, p. 100296, Jan. 2023, doi: 10.1016/J.FSISYN.2022.100296.

M. B. Rahayu, “Polisi Duga Panitia Diksar Mapala UII Hapus Seluruh File Kegiatan,” DetikNews. Accessed: Jul. 08, 2024.

D. Dunsin, M. C. Ghanem, K. Ouazzane, and V. Vassilev, “A comprehensive analysis of the role of artificial intelligence and machine learning in modern digital forensics and incident response,” Forensic Sci. Int. Digit. Investig., vol. 48, p. 301675, Mar. 2024, doi: 10.1016/J.FSIDI.2023.301675.

A. Yudhana, Imam Riadi, and Budi Putra, “Digital Forensic on Secure Digital High Capacity using DFRWS Method,” J. RESTI (Rekayasa Sist. dan Teknol. Informasi), vol. 6, no. 6, pp. 1021–1027, Dec. 2022, doi: 10.29207/resti.v6i6.4615.

Y. Wei, N. Zheng, and M. Xu, “An automatic carving method for RAR file based on content and structure,” Proc. - 2nd Int. Conf. Inf. Technol. Comput. Sci. ITCS 2010, pp. 68–72, 2010, doi: 10.1109/ITCS.2010.23.

F. Barr-Smith, T. Farrant, B. Leonard-Lagarde, D. Rigby, S. Rigby, and F. Sibley-Calder, “Dead Man’s Switch: Forensic Autopsy of the Nintendo Switch,” Forensic Sci. Int. Digit. Investig., vol. 36, p. 301110, Apr. 2021, doi: 10.1016/J.FSIDI.2021.301110.

M. Samiullah, W. Aslam, S. Sadiq, A. Mehmood, and G. S. Choi, “Hyperchaos and MD5 Based Efficient Color Image Cipher,” Comput. Mater. Contin., vol. 72, no. 1, pp. 1645–1670, Feb. 2022, doi: 10.32604/CMC.2022.021019.

H. Heath, Á. MacDermott, and A. Akinbi, “Forensic analysis of ephemeral messaging applications: Disappearing messages or evidential data?,” Forensic Sci. Int. Digit. Investig., vol. 46, p. 301585, Sep. 2023, doi: 10.1016/J.FSIDI.2023.301585.

G. Horsman, “ACPO principles for digital evidence: Time for an update?,” Forensic Sci. Int. Reports, vol. 2, p. 100076, Dec. 2020, doi: 10.1016/J.FSIR.2020.100076.

G. Thornton and P. Bagheri Zadeh, “An investigation into Unmanned Aerial System (UAS) forensics: Data extraction & analysis,” Forensic Sci. Int. Digit. Investig., vol. 41, p. 301379, Jun. 2022, doi: 10.1016/J.FSIDI.2022.301379.

S. Brotsis et al., “Blockchain meets Internet of Things (IoT) forensics: A unified framework for IoT ecosystems,” Internet of Things, vol. 24, p. 100968, Dec. 2023, doi: 10.1016/J.IOT.2023.100968.

E. Mantas and C. Patsakis, “Who watches the new watchmen? The challenges for drone digital forensics investigations,” Array, vol. 14, p. 100135, Jul. 2022, doi: 10.1016/J.ARRAY.2022.100135.

N. S. Vaidya and P. H. Rughani, “A forensic study of Tor usage on the Raspberry Pi platform using open source tools,” Comput. Fraud Secur., vol. 2020, no. 6, pp. 13–19, Jun. 2020, doi: 10.1016/S1361-3723(20)30064-6.

X. Fernández-Fuentes, T. F. Pena, and J. C. Cabaleiro, “Digital forensic analysis methodology for private browsing: Firefox and Chrome on Linux as a case study,” Comput. Secur., vol. 115, p. 102626, Apr. 2022, doi: 10.1016/J.COSE.2022.102626.

R. Nordvik and S. Axelsson, “It is about time–Do exFAT implementations handle timestamps correctly?,” Forensic Sci. Int. Digit. Investig., vol. 42–43, p. 301476, Oct. 2022, doi: 10.1016/J.FSIDI.2022.301476.

P. Sommer, “Evidence from hacking: A few tiresome problems,” Forensic Sci. Int. Digit. Investig., vol. 40, p. 301333, Mar. 2022, doi: 10.1016/J.FSIDI.2022.301333.

G. Horsman, “Conducting a ‘manual examination’ of a device as part of a digital investigation,” Forensic Sci. Int. Digit. Investig., vol. 40, p. 301331, Mar. 2022, doi: 10.1016/J.FSIDI.2021.301331.

J. Gruber, L. L. Voigt, Z. Benenson, and F. C. Freiling, “Foundations of cybercriminalistics: From general process models to case-specific concretizations in cybercrime investigations,” Forensic Sci. Int. Digit. Investig., vol. 43, p. 301438, Sep. 2022, doi: 10.1016/J.FSIDI.2022.301438.

D. Kane et al., “Storage of evidence and delayed reporting after sexual assault: Rates and impact factors on subsequent reporting,” J. Forensic Leg. Med., vol. 106, p. 102731, Aug. 2024, doi: 10.1016/J.JFLM.2024.102731.

D. Rani, N. S. Gill, and P. Gulia, “A forensic framework to improve digital image evidence administration in IIoT✰,” J. Ind. Inf. Integr., vol. 38, p. 100568, Mar. 2024, doi: 10.1016/J.JII.2024.100568.

A. Holmes and W. J. Buchanan, “A framework for live host-based Bitcoin wallet forensics and triage,” Forensic Sci. Int. Digit. Investig., vol. 44, p. 301486, Mar. 2023, doi: 10.1016/J.FSIDI.2022.301486.

Amirullah, “Detik-detik KKB Papua Tembak Polisi yang Berada di Mobil Tengah Melintas, Videonya Viral,” Serambinews, Mar. 25, 2024.

A. nasrudin Yahya, “Titik Terang Pembebasan Pilot Susi Air Usai Setahun Disandera KKB,” Kompas, Feb. 06, 2024.


Refbacks

  • There are currently no refbacks.


Copyright (c) 2024 Khoirul Anam Dahlan, Anton Yudhana, Herman Yuliansyah

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.